LSA Shell (Export Version) + can't use TrendMicro House Call

By mohrng ยท 20 replies
Jan 29, 2009
  1. hello, techspot gurus...

    i've had a couple of strange problems lately - both today, in fact. at this point, i haven't noticed any performance issues, but i'd like to know what's going on in there...

    first, i got an error message relating to "LSA Shell (Export Version)". after this error message, i was told i had 60 seconds before the computer would shut down - i was locked-in to this, with no visible way to abort the shutdown. this LSA Shell error has only occurred once (to my knowledge).

    searches related to the LSA Shell problem led to alot of old (2004-06) threads mostly dicussing varieties of the Sasser virus. i downloaded and ran McAfee's Stinger and Symantec's standalone "Sasser Fix" - neither one found anything amiss. i ran SS+D, but it also found nothing. i searched a little more, found some more old info, and then tried TrendMicro's House Call: this is where it gets weird... i successfully ran House Call, but it somehow failed in the final moments. House call had already showed me a few problems - none seeming severe - which it intended to remove. after i clicked on the remove button, it froze up and the program became unresponsive. i tried House Call again and received this message upon attempting to begin the connection: "An error occurred while trying to transfer data from the Internet! Do you want Trend Micro House Call to try resending the required files?" then IE became unresponsive and the message window was frozen (whether i chose "Yes", "No", or tried to exit IE by clicking the X, i couldn't get out). i eventually just CTRL-ALT-DEL-eted my way out. and i've done the same three subsequent times... i can't get House Call to work. i re-read the "8 simple steps" and had to download some new stuff due to changes since the last time i was here.

    i ran MalwareBytes and SuperAnti-Spyware. i'll post the MalwareBytes log, but the SAS search turned up nothing. also, here is my HJT log (made after I'd done all the other steps).

    so... those are my onle two symptoms - LSA Shell (Export Version) crashing the system once, and inability to run HouseCall.

    thanks for all you guys do.
  2. mohrng

    mohrng TS Rookie Topic Starter Posts: 21

    Help with HijackThis log?

    it seems that no one who is interested in helping has run across my previous post... is there something i should do to get noticed?
    i'd really apprecaite if someone would look at my HijackThis log (attached to the previous post) and advise me about any changes i should make to my system.
  3. mflynn

    mflynn TS Rookie Posts: 2,655

  4. mohrng

    mohrng TS Rookie Topic Starter Posts: 21

    still can't run HouseCall

    here are all of the logs, fresh off the presses.
    all the scans were clean, including my Symantec anti-virus. i also ran a SS+D scan which turned up no spyware.

    i still can't run TrendMicro HouseCall. just tried, and again i received the same error message (see my first post). IE became unresponsive, i used CTRL-ALT-DEL to shut it down.

    thanks for any help anyone can offer.
  5. mflynn

    mflynn TS Rookie Posts: 2,655

    OK I needed to be sure.

    What do you mean SS+D?

    Humor me here.

    I want to be sure your Norton and AVG AntiSpyware are not interfering with the scans.

    Download SD Fix to Desktop.

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    After posting the SDFix log

    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here:
    Or here:

    Reboot again to Safe mode and

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

  6. mohrng

    mohrng TS Rookie Topic Starter Posts: 21

    SD Fix report

    here's the SD Fix report. i'll get right on the Combo Fix.
    Question: i told windows not to make system restore points (because I read elsewhere that some malware use that feature to basically reattach themselves after anti-malware programs clean them up). is this wise? i'm planning on system restore back on after i get word from you that my computer is clean again.

    also, when i've referred to "SD+D" i meant "Spybot-Search & Destroy"

  7. mflynn

    mflynn TS Rookie Posts: 2,655

    Good. Make sure you use the Immunize function.

    SDFix did get one minor malware.

  8. mohrng

    mohrng TS Rookie Topic Starter Posts: 21


    i'm having some issues with the ComboFix step.

    i downloaded ComboFix from your link. i rebooted into safe mode, and tried to run ComboFix... but it told me i didn't have a current version. i tried the other link, but it appears to be the same version. i tried to run ComboFix anyway (despite it telling me it wasn't optimal because i was running an outdated version), but then ComboFix told me i had Symantec Auto-Protect running, which would mess with its operations. so i didn't run ComboFix.

    i went into Symantec, and tried to turn off auto-protect. couldn't do it, it said it was locked by Admin. rebooted as Admin, tried to turn off auto-protect. still couldn't figure out how to disable it, but i did change it from "auto-protect on startup" to "auto protect when symantec is running." only problem is, Symantec is always running. i'm not sure how to make it stop. do i "unload" it?

    another auto-protect type issue: i noticed in my free version of Ad-aware that under "AdWatch Live!", both "registry" and "network" are turned off, but "processes" is turned on. i noticed that processes claimed to have stopped a harmful process today. that process had a TAI of 10 - so now i'm worried about turning the "processes" part of "Ad-Watch Live!" off. what do you think? i've attached the Ad-Aware log about the process it blocked.

    lastly - my clock is now displaying in military time. doesn't usually do that.

    suggestions for what to do next?
  9. mflynn

    mflynn TS Rookie Posts: 2,655

    That is a false positive from SDFix.

    Delete the SDFix install from the desktop then browse and delete the c:\SDFix folder.

    Did you ever have combofix before?

    combofix /u
    hit enter or click OK.

    This uninstalls ComboFix.

    Now redownload it.

    Boot to Safe Mode run Taskmgr and end all AntiSpyware and Norton processes that you can.

    Then run combofix.

    I am tired done for the night. Will check in in the morning.

    Good night!

  10. mohrng

    mohrng TS Rookie Topic Starter Posts: 21

    alright, i'm back to work on this.
    cleared out SDFix, uninstalled ComboFix, reinstalled ComboFix.
    rebooted in Safe Mode. no error message about ComboFix being out-of-date: so that's good.

    still got a message from ComboFix saying it detected that Symantec AntiVirus AutoProtect was running. ComboFix says it shouldn't run while AutoProtect is running, or something might explode. or something like that.

    did Run - taskmgr
    didn't look like AutoProtect or anything Norton was running.
    here is a list of all of the processes which were running in Safe Mode. are any of these the ones i need to shut down?
    (the following all end in ".exe")

    (the two below don't end in ".exe")
    System Idle Process

    when i go into Symantec to try to disable the Auto-Protect, i can't. i find the proper menu, but the check box labeled "Enable Auto-Protect" is always checked. i can't uncheck it, even as admin, because it is light gray instead of black, and next to it it says "(Disabled)." which, means i am completely unable to turn it off, right? so... i don't know how to turn off Auto-Protect, also don't know how to shut down Symantec.

    thus, i still haven't been able to run ComboFix. sorry - i'm probably missing something stupid. thanks again for your help. i'll be here at my house able to work on this until about 6 central time. if you're taking the weekend off, no worries.
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    OK here are 2 solutions.

    This is a keeper

    Try only this first if it don't work do the clean boot below.

    Just run it uncheck everything related to Norton/Symantec Adaware etc
    then reboot.

    When finished below recheck them back and reboot and they are back.

    Norton is sticky and may hang on so..

    Here are 3 links on how to do a clean boot of XP 3 links just for insight.

    You will reverse it when finished!

    Note if you are concerned about reinfection after downloading all then pull the network cable while doing all.

  12. mohrng

    mohrng TS Rookie Topic Starter Posts: 21

    tried the first link. the application worked, but after i rebooted in Safe Mode and tried to run ComboFix, i still got the message from ComboFix indicating that Symantec AntiVirus Auto-Protect was running.

    tried the three links about doing a clean boot. i think i successfully clean booted to Safe Mode, but still got the same message from ComboFix.

    i feel like these are my options:
    1. just say to hell with it and run ComboFix anyway. or is this likely to damage my computer?
    2. "unload" Symantec AntiVirus. except i'm not sure what "unloading" it will do, exactly.

    what do you think?
    how can Auto-Protect be running if I can't see it in Task Manager?
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    1. just say to hell with it and run ComboFix anyway. or is this likely to damage my computer?

    Won't hurt! Do it!

    BTW: We have cleaned some bad Malware so what is the state of the system now?

  14. mohrng

    mohrng TS Rookie Topic Starter Posts: 21

    ok. i'm not near my PC now, but i'll run ComboFix tonight or tomorrow and post the log right away.

    i haven't noticed any problems, exactly, since we cleared that stuff out, but i still for some reason cannot run TrendMicro HouseCall.
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    OK do this.

    Uninstall any Trend HouseCall in Add/Remove programs.

    Do a windows search for trend*.* delete those entries that are obviously HouseCall!


    Then do the below...

    Update then run SAS
    Click Preferences-Repairs

    Then counting down from top do the following entries
    Numbers 6, ,8 11, 12, 13, 15, 18, 19, 20, 23 and 24!


    Now try the Trend.

  16. mohrng

    mohrng TS Rookie Topic Starter Posts: 21

    ComboFix log

    ok. i just did a clean boot into safe mode, and then i ran ComboFix.
    the log is attached.

    i followed your instructions from previous post - did not get the same error message from TrendMicro HouseCall as before... but it still didn't run. just looked like it was getting ready to, and said "idle."
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Couple more to get!

    Boot to Safe mode networking to do the below!

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt.
    @echo off
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    attrib -h -s -r "c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}"
    attrib -h -s -r c:\program files\[u]0[/u]93004-15v.ram
    rd /s /q "c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}"
    del /"c:\program files\[u]0[/u]93004-15v.ram" f /q 
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    Then run combofix once more to be sure it comes up clean post log.

  18. mohrng

    mohrng TS Rookie Topic Starter Posts: 21

    new ComboFix Log

    alright - did what you said. copied that whole string of commmands into command prompt. didn't have to hit enter or anything: it just went and did it's thing on its own (is that what should've happened). also, i'm obviously no expert on these things, but reading through commandm prompt afterwards, it seemed like some of the things in the commands you sent me worked, and some didn't... couldn't figure out how to copy-paste from that though... maybe they worked and i just mis-interpreted the feedback.

    anyway, after i ran the command stuff, i rebooted into safe mode and ran ComboFix again. here's the new log.

    thanks again for all your help and for sticking with this problem for the last several days.
  19. mflynn

    mflynn TS Rookie Posts: 2,655

    That was a general cover all type script that works on what if finds and may give an error if it don't find something. So no problem.

    OK it looks as tho we are finished except for one item and it should be a quick remove.

    Run MBAM click More Tools-Run Tool
    Copy and paste the text in the box to the File name: box and click OK to delete the file.
    c:\program files\[u]0[/u]93004-15v.ram
    Reboot paste a final HJT log and update me on the status of the system, how is it now and are there remaining issues.

  20. mohrng

    mohrng TS Rookie Topic Starter Posts: 21

    did it!
    thanks again, you've been very helpful.
    God bless!

    p.s. do you have any general advice about safety/ malware prevention practices? or a link to such advice?
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    OK so all is fixed no more issues?

    The answer to your question is in the closing below.

    Thread closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner Temp and Registry, repeatedly until no more found.

    Fantastic cleaner.
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.
    Look at

    Run SpyBot ocassionally and use the Immunize function.

    I highly reccomend Hostman: Hostman

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...